The office manager at a dermatology practice in Southern California told us she had been wanting to collect patient feedback for two years. "Every time I brought it up," she said, "someone on the compliance team would say 'HIPAA' and the conversation would end. Nobody could tell me what was actually prohibited. They just knew it felt risky."
That reaction is common across medical practices of every size and specialty. HIPAA has become a conversation-stopper for patient feedback, even though the regulation does not prevent practices from asking patients how their experience was. It shapes how you collect, store, and handle that information. But it does not prohibit the collection itself.
The result is a gap. Practices that could benefit enormously from hearing directly from their patients avoid doing so out of regulatory caution that, on closer examination, is often misplaced.
What HIPAA actually says
HIPAA governs the use and disclosure of protected health information (PHI). PHI includes any individually identifiable information that relates to a patient's health condition, the provision of healthcare, or payment for healthcare. It covers names, dates of service, diagnoses, treatment details, and dozens of other data points.
What HIPAA does not do is prevent a practice from communicating with its own patients. You are allowed to contact patients about their care. You are allowed to ask how their visit went. You are allowed to collect their opinions about the experience.
The constraints are about how you handle the data, not whether you collect it. Specifically, there are three areas where HIPAA intersects with feedback collection.
1. The feedback prompt itself
If you send a patient a text message or email asking about their visit, the message itself should not contain PHI. "Hi Sarah, how was your appointment today?" is fine. "Hi Sarah, how was your dermatology follow-up for your psoriasis treatment?" is not. The first acknowledges an appointment. The second discloses clinical information through a channel that may not be secure.
The rule is straightforward. Keep the outbound message generic. Do not reference specific procedures, diagnoses, or treatment details in the prompt. Let the patient choose what to share in their response.
2. The feedback response
When a patient responds to a feedback prompt, they may voluntarily include health information. A patient might write, "The wait time for my MRI was too long" or "Dr. Patel was wonderful during my biopsy." That information is now in your possession, and HIPAA applies to how you store and handle it.
The key distinction is that the patient disclosed this information voluntarily. The practice did not solicit specific clinical details. The patient chose to include them in their feedback. This is an important legal distinction that affects how the data is classified and what obligations attach to it.
Regardless of how the information arrives, it should be stored securely. That means access controls, encryption where appropriate, and clear policies about who on the team can read and act on feedback that contains clinical references.
3. The feedback storage and access
Patient feedback that contains any individually identifiable information should be treated as PHI for storage purposes. This does not mean you need a dedicated HIPAA-compliant survey platform. It means the data should be stored in a location with appropriate access controls and should not be accessible to anyone who does not have a legitimate need to see it.
For many practices, a private spreadsheet with restricted access is sufficient. The feedback lives in the same secure environment as other operational data. Staff who need to review and act on it have access. Staff who do not, do not. The same principles that govern access to patient charts govern access to patient feedback.
What a compliant feedback channel looks like
A well-designed patient feedback system for a medical practice has several specific characteristics.
The prompt is generic and warm
The message that goes out to the patient after their visit says something like: "Thank you for visiting [Practice Name] today. We would love to hear how your experience was. It takes less than a minute." It includes a link to a branded feedback page. It does not mention the reason for the visit, the provider seen, or any clinical detail.
The feedback page does not ask for clinical information
The page itself asks about the experience, not the care. Good questions include: "How would you rate your overall experience?" and "Is there anything we could have done differently?" and "Would you recommend us to a friend or family member?" These questions invite the patient to share what mattered to them without prompting them to disclose clinical details.
If a patient chooses to mention their condition or treatment in their response, that is their prerogative. The practice did not ask for it. The practice did not create conditions where the patient felt required to disclose it. The patient volunteered it in the context of sharing their experience.
Responses are stored with appropriate controls
Feedback responses go to a private, access-controlled location. At practices we work with, this is typically a private Google Sheet that is shared only with designated staff members. Access is logged. The sheet is not publicly accessible. And the practice's existing HIPAA policies extend to cover this data.
Follow-up conversations stay general
When a practice follows up on feedback, the follow-up should not reference clinical details that the patient shared. A good follow-up looks like: "Thank you for sharing your feedback. We appreciate you taking the time, and we are working on improving the areas you mentioned." A problematic follow-up would be: "We are sorry your chemotherapy appointment ran long."
The principle is consistent. The practice keeps its outbound communications general. The patient controls what clinical information, if any, enters the conversation.
Common mistakes practices make
Even practices that understand the broad HIPAA framework often stumble on implementation details. Here are the most common errors we see.
Using the EHR to trigger feedback
Some practices try to automate feedback prompts by linking them directly to their electronic health record system. This creates two problems. First, it can embed clinical data into the feedback workflow in ways that are hard to control. Second, it often requires sharing patient contact information with a third-party survey tool, which may or may not have a Business Associate Agreement in place.
A simpler approach is to separate the feedback workflow from the clinical workflow entirely. The front desk team sends the feedback link as part of the checkout process, using a standard text message or email template. No clinical system integration required. No data leaves the practice's control.
Asking condition-specific questions
Some practices design feedback forms that ask about the specific service the patient received. "How was your colonoscopy experience?" or "Please rate your physical therapy session." These questions disclose the nature of the patient's visit through the feedback channel itself, which is problematic even if the channel is secure.
Keep the questions general. "How was your visit?" accomplishes the same thing without creating disclosure risk. The patient will mention the specific service if it is relevant to their feedback. You do not need to prompt it.
Sharing feedback publicly without consent
A practice that collects a glowing patient testimonial might be tempted to share it on their website or social media. This requires explicit, written patient authorization. The HIPAA authorization must be separate from any general consent the patient signed at intake. It must specify what information will be shared, where it will be shared, and for how long.
Many practices avoid this complexity entirely by keeping all feedback private and internal. The feedback is an operational tool, not a marketing asset. If a patient independently chooses to leave a public review on Google or Healthgrades, that is their decision. The practice's private feedback channel stays private.
Failing to train staff
The front desk team, nurses, and medical assistants who interact with patients need to understand the feedback process and the compliance boundaries around it. They need to know what to say when sending the link ("We would love to hear how your visit went"), what not to say ("Please let us know how your procedure went"), and how to handle situations where a patient shares feedback verbally at checkout.
A 15-minute training session at launch, with a one-page reference guide, is typically sufficient. The rules are not complex. But they need to be communicated clearly to everyone who touches the process.
Building the ongoing feedback loop
A single feedback prompt after a single visit is useful but limited. The real value comes from building an ongoing channel where patient feedback flows consistently into the practice's operations.
Frequency
For practices with recurring patients (physical therapy, dermatology, primary care), a feedback prompt after every visit would quickly become annoying. A reasonable cadence is every third or fourth visit, or once per quarter for regular patients. For practices with primarily one-time or infrequent visits (surgery centers, urgent care), a prompt after each visit is appropriate.
Review cadence
Someone on the team should review new feedback daily. This does not take long. Most practices receive a handful of responses per day. The daily review ensures that urgent issues (a patient who reports a safety concern, a complaint about a specific staff interaction) are caught and addressed promptly.
Monthly, the practice should review feedback in aggregate. What patterns are emerging? Which providers consistently receive the highest satisfaction ratings? What operational issues keep coming up? This monthly review turns individual data points into actionable insight.
Closing the loop
The most important part of the feedback loop is, literally, the loop. When a patient shares feedback and the practice acts on it, the patient should know. Not with a detailed explanation. Just a signal that their input was received and valued. "Thank you for your feedback. We have made some changes based on what patients like you have told us." That sentence, sent three months after the feedback was received, turns a transaction into a relationship.
Patients who feel that their feedback made a difference become loyal patients. They return. They refer. And they continue to provide honest, useful feedback because they have seen evidence that it matters.
The cost of doing nothing
Practices that avoid patient feedback because of HIPAA concerns are not eliminating risk. They are choosing a different kind of risk. The risk that patients are unhappy and the practice does not know. The risk that operational problems persist because nobody surfaces them. The risk that competitors who do collect feedback are learning faster and improving faster.
HIPAA is real, and compliance matters. But compliance and patient feedback are not in conflict. They are compatible, provided the feedback system is designed with the right guardrails. Generic prompts, secure storage, controlled access, and general follow-ups. That is the framework. It is not complicated. And the practices that implement it gain something that no clinical metric can provide: a direct line to how patients actually feel about their care.
For a related look at patient engagement in practice operations, see our piece on patient satisfaction in the modern practice.